The Financial Action Task Force (FATF) is the international body that sets global risk-based standards on anti-money laundering, terrorist financing and financing proliferation of weapons of mass destruction (AML/CFT). It issues recommendations (FATF Recommendations) for adoption by individual jurisdictions, formal Interpretive notes on the recommendations, and related guidance and reports.

On June 21, 2019, the FATF announced that it had adopted an interpretive note (INR.15) to its recommendation on New Technologies to further clarify the applicability of the recommendations to virtual asset activities. It also issued guidance (guidance) to assist countries and businesses on their AML/CFT obligations under the FATF Recommendations regarding virtual asset activities.

This month's column will discuss some of the major points of the new interpretive note and guidance.

A Little Background

In June 2014, the FATF issued a report—Virtual Currencies: Key Definitions and Potential AML/CFT Risks—after it had researched the characteristics of virtual currency and its legitimate uses as well as its potential to be used for illegal purposes.

A year later, in June 2015, the FATF issued Guidance for a Risk-Based Approach to Virtual Currencies that discussed how the FATF's risk-based approach to AML/CFT could be applied in the virtual currency world.

In October 2018, after further review of its AML/CFT guidance in context of virtual currency, the FATF amended its Recommendation regarding New Technologies (FATF Recommendation 15) to include references to virtual assets, added definitions of “virtual assets” and “virtual asset service providers” and urged countries to take action to prevent the misuse of virtual assets in their jurisdictions.

Prior to the October 2018 amendment, FATF Recommendation 15 on New Technologies read as follows:

Countries and financial institutions should identify and assess the money laundering or terrorist financing risks that may arise in relation to (a) the development of new products and new business practices, including new delivery mechanisms, and (b) the use of new or developing technologies for both new and pre-existing products. In the case of financial institutions, such a risk assessment should take place prior to the launch of the new products, business practices or the use of new or developing technologies. They should take appropriate measures to manage and mitigate those risks.

The October 2018 amendment added a new paragraph at the end:

To manage and mitigate the risks emerging from virtual assets, countries should ensure that virtual asset service providers are regulated for AML/CFT purposes, and licensed or registered and subject to effective systems for monitoring and ensuring compliance with the relevant measures called for in the FATF Recommendations.

The FATF also added two definitions:

“Virtual Assets” (VA): “A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.”

“Virtual Asset Service Provider” (VASP): “Virtual asset service provider means any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

i.  exchange between virtual assets and fiat currencies;

ii. exchange between one or more forms of virtual assets;

iii. transfer of virtual assets [i.e., conducting a transaction on behalf of another natural or legal person that moves a virtual asset from one virtual asset address or account to another];

iv. safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and

v. participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.”

At that time in 2018, it was expected that the FATF would issue more specific proposals on regulation of virtual assets. It did so a year later in adopting INR.15 and issuing the Guidance in June 2019.

Interpretive Note 15

INR.15 is applicable both to governmental jurisdictions and to companies engaged in VA activities such as VASPs. Jurisdictions are expected to officially adopt and implement the requirements of the revised Recommendation and INR.15 to incorporate VA activities and VASPs into their current regulatory regimes on compliance with the FATF Recommendations. VASPs also should use all the recommendations as a guide to adopting AML/CFT policies and procedures involving VA activities and VASPs.

INR. 15 advises the following:

Characterization of VA: Jurisdictions should treat VA as “'property,' 'proceeds,' 'funds,' 'funds or other assets,' or other 'corresponding value.'” Relevant provisions of the FATF Recommendations also should be made applicable to VASPs.

Risk-Based Approach: Regulators should take the same risk-based approach to regulation of VA activities and VASPs as FATF Recommendation 1, which sets out the general risk-based approach of the FATF Recommendations on establishing an effective AML/CFT regulatory regime. A jurisdiction's regulator should “identify, assess and understand” the money laundering/terrorist financing/proliferation risks in that country. In addition, each jurisdiction should establish a “central authority or mechanism to coordinate actions to assess risks, and apply resources, aimed at ensuring the risks are mitigated effectively.”

Licensing and Registration of VASPs: VASPs should be required to be licensed or registered: if an entity, at least in the jurisdiction in which they were established, or, if a natural person, where the place of business is located. Regulators also may require VASPs operating in their jurisdiction to be licensed or registered if they serve customers in their state, regardless of where they are organized. As with AML/CFT recommendations on “know your customer” procedures, jurisdictions should adopt measures to ascertain the beneficial owner of VASPs that are legal entities in order to ensure criminals are not the beneficial owners of the VASP.

Financial Institutions Engaging in VA Activity: If the VASP already is chartered or licensed as a financial institution in a jurisdiction, regulators in that jurisdiction should not impose a separate licensing or registration on the entity, so long as the entity is approved to conduct VA activity and is subject to the FATF Recommendations as enacted in that jurisdiction.

Regulatory Supervision of VASPs: Regulators should supervise and monitor VASPs for compliance with the FATF Recommendations as enacted in their jurisdictions and have the authority to impose and enforce penalties for violations. VASPs also should be required to maintain effective systems to ensure compliance with relevant AML/CFT legislation.

Penalty Options: Each jurisdiction should have adequate authority and a broad range of options to take enforcement action against those VASPs that violate the AML/CFT requirements in their jurisdictions.

Funds Transfers: VASPs generally should be subject to the same FATF Recommendations regarding preventive actions when sending transfers of funds on behalf of others, including ensuring adequate recordkeeping policies and procedures.

International Cooperation and Coordination: There should be coordination and cooperation among the jurisdictions internationally on AML/CFT measures, including sharing of information on VASP activity that could be useful to the other countries.

The Guidance

The purpose of the Guidance is to assist jurisdictions in understanding the AML/CFT risks posed by VA activity and VASPs that need to addressed and mitigated. It describes how VA activity and VASPs fit within the scope of the FATF Recommendations, and sets forth the AML/CFT regulatory obligations that should be imposed on VASPs and VA activity.

Section I: Introduction: In this Section, the FATF describes the history of its work in the VA area, culminating in INR.15 and the Guidance. The Guidance sets out how to adapt the risk-based focus of the FATF Recommendations to VA/VASP activities. It also discusses banks offering banking services to VASPs, and warns against automatically refusing such accounts, urging instead a risk-based assessment before deciding to accept or reject such an account.

Section II: Scope of FATF Standards: Section II covers how VA activities and VASPs fall within the scope of the FATF Recommendations and how they should be subject to the FATF AML/CFT standards. Key areas covered are: (i) the initial assessment of the AML/CFT risks posed by VA activities and VASPs in the particular jurisdiction; (ii) relevant FATF definitions and aspects of the VASP business relevant for AML/CFT purposes and (iii) how to determine if VASPs should be subject to the FATF Recommendations. The Guidance emphasizes that these requirements do not apply to the individual buying and selling VA for the person's own account. Nor does it apply to persons developing the technology underlying VA activity and VASPs, such as a software application, or providing ancillary services such as digital wallets, so long as the person is not using such technology or services to engage in or facilitate VA transactions on behalf of other persons.

Section III: Application of FATF Standards to Countries and Competent Authorities: This Section describes how each of the FATF Recommendations (not just Recommendation 15) apply to jurisdictions and government officials regarding VA activities and VASPs. It focuses on those parts of INR.15 that deal with how jurisdictions can identify and assess the AML/CFT risks in their jurisdictions regarding VA activity and VASPs, and then take steps to mitigate those risks, such as establishing a regulatory regime that includes licensing and regulation of VA activities and VASPs, carrying out regulatory supervision on a par with supervision of other financial activities with appropriate penalty authority, and ongoing interaction with other regulators around the world.

Section IV: Application of FATF Standards to VASPs and Other Obliged Entities that Engage in or Provide Covered VA Activities: This Section focuses on how the FATF Recommendations would apply not just to countries but also to VASPs or any other entity that might engage in VA activities, including financial institutions such as banks and securities firms. This Section offers suggestions on how VASPs and others engaged in VA activities might comply, including with respect to customer identification, ongoing monitoring of transactions, reporting suspicious transactions, and utilizing commercially available technology to facilitate compliance.

Section V: Country Examples of Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers: The Guidance concludes with examples of how several different countries have dealt with AML/CFT regulation of VA activities and VASPs. The Guidance discusses Italy, Norway, Sweden, Finland, Mexico, Japan and, at some length, the United States.

Conclusion  

The virtual asset industry still is evolving—it is ever changing and jurisdictions need to be able to maintain regulatory regimes to address the AML/CFT risks that can arise from this activity. The FATF's view is that virtual assets and virtual asset service providers are pretty much like any other financial product or service, and, as such, susceptible to misuse by money launderers or financiers of terrorism or weapons of mass destruction. The ability to make transactions less transparent to counterparties, the public and regulators can be very attractive to criminals. As a result, VA activity and VASPs should be subject to compliance with the FATF Recommendations just like banking, securities or other financial activities. It now is up to individual jurisdictions to take the appropriate actions to incorporate INR.15 and the Guidance into their current regulatory regimes.

Kathleen A. Scott is a senior counsel in the New York Office of Norton Rose Fulbright.